1 Reply Latest reply: Oct 18, 2009 1:21 PM by 843810 RSS

    HTTP/SPNEGO Authentication

    843810
      Hi,

      Having read in posting [http://forums.sun.com/thread.jspa?threadID=5362388&tstart=15|http://forums.sun.com/thread.jspa?threadID=5362388&tstart=15] that "Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens" I' still wondering why the getPasswordAuthentication() in class MyAuthenticator of Sun's [HTTP/SPNEGO example (2nd case)|http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html#Example] is not called upon starting the client without giving any arguments, i.e.
      java RunHttpSpnego http://www.ad.local/hello/hello.html
      From the server the client receives a
      WWW-Authenticate: Negotiate
      response, and the client should enter the HTTP/SPNEGO challenge/response protocol.

      To summarize, class MyAuthenticator looks like:
      class MyAuthenticator extends Authenticator {
              public PasswordAuthentication getPasswordAuthentication() {
                  // I haven't checked getRequestingScheme() here, since for NTLM
                  // and Negotiate, the usrname and password are all the same.
                  System.err.println("Feeding username and password for "
                     + getRequestingScheme());
                  return (new PasswordAuthentication(kuser, kpass.toCharArray()));
              }
          }
      It should be called as a side effect of openConnection() upon executing the following code:
      Authenticator.setDefault(new MyAuthenticator());
      URL url = new URL(args[0]);
      InputStream ins = url.openConnection().getInputStream();
      ...
      My client environment is Windows Vista, Java 1.6.0_16, and the client is not a member of an Active Directory.
        • 1. Re: HTTP/SPNEGO Authentication
          843810
          Perhaps the issue is with this quote:

          "Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens"

          I believe the HttpURLConnection class in JDK 1.6 can handle NTLM.

          Meaning, if you logon to your workstation as a domain user and run the java code, it is probably using NTLM.

          I recall noticing this when I put TCPMon between the workstation and the server.